Whats to stop malicious actors (bad extensions, compromised cdn, etc.) from painting over the qr code or injecting their own? This is so incredibly terrible.